Win32/FakeRemoc is a family of trojans that claim to scan for malware and display fake warnings of “malicious programs and viruses”. They inform the user that they need to pay money to register the software in order to remove these non-existent threats. These trojans may subvert an affected user's web activity, or attempt to download other malware, such as Trojan:Win32/Hiloti. They may also display dialogs that mimic the Windows Security Center.
Common behavior
Members of the Win32/FakeRemoc family may exhibit different user interfaces and behavior depending on the variant. The following behavior is common to most variants active at the time of publication.
The malware may be installed using a fake web scanner in a manner similar to that described below. It may also be installed by another trojan, such as TrojanDownloader:Win32/Renos.IF, for example. These may instruct the installer to run without displaying any dialogs.
When run, the malware’s installer places the files in a subdirectory of the %ProgramFiles% directory. The name of this subdirectory is dependent on the name that the malware uses for itself.
For example, the following product and subdirectory name combinations have been observed:
-
Virus Remover 2009 (%Program Files%\VirusRemover2009)
-
Spyware Remover 2009 (%Program Files%\SpywareRemover2009)
-
Secure Expert Cleaner (%Program Files%\SecureExpertCleaner)
-
AntiMalware Suite (%Program Files%\AntiMalwareSuite)
-
PC AntiMalware (%Program Files%\PCAntiMalware)
-
Cleaner 2009 Freeware (%Program Files%\Cleaner2009 Freeware)
-
Total Virus Protection (%Program Files%\TotalVirusProtection)
-
AntiMalware Guard (%Program Files%\AntiMalwareGuard)
It also adds icons to the desktop and the system tray, and an item to the start menu. For example:
The icons displayed differ according to the malware’s branding.
It also stores a large amount of configuration and status information in registry entries under HKCU\Software\<ProductName>. (For example HKCU\Software\AntiMalwareSuite)
It then displays its scanner and runs a fake scan of the user's system, usually reporting multiple malware infections that are not actually present on the system. For example:
It informs users that they need to pay money to register the software in order to remove these non-existent threats. For example:
Once it is installed, it contacts a server to provide details of the installation. Servers observed to be used in this manner in the wild have included 'pcprotectiontool.com', 'pccleansolution.com' and 'antimalwareguard.com'.
Attempts to activate various other features of the fake scanner will also result in a prompt for the user to register it. For example:
If a registration attempt is made, the malware will invoke a separate executable named PP.exe which displays a registration page. The top of the page may appear similar to the following:
The malware will regularly pop up reminder dialogs and balloons for the user to register it. For example:
Downloads and executes arbitrary malware
Should the user choose to update the scanner, the trojan may contact a server such as updl.pccleansolution.com and attempt to download and execute a file. At the time of publication, this file was a variant of the Trojan:Win32/Hiloti family.
Displays fake Web scanner and downloads other FakeRemoc variants
Periodically the malware contacts a server, at a location such as 'ad.pccleansolution.com', which advises it of another location from which to download some HTML content. At the time of publication, this second location was either 'toppromooffer.com' or 'offer-provider.com'. It then displays this content in a window so that it appears to be running a web-based scan of the user’s system. This may appear as follows:
Once this scan is completed, it reports that the system is infected, and that the user should run a full scan.
If the user attempts to close the window, the following dialog is displayed:
Should the user click the Full Scan button, it will download an updated version of Win32/FakeRemoc from the same server that hosted the fake scanner. This version may have different branding to the previous one.
AntiMalwareSuite / PCAntiMalware
The fake scanner displayed by this branding/distribution of Win32/FakeRemoc is similar to, or the same as, the examples displayed above. In addition, it may periodically display dialogs with fake warnings of ongoing malicious activity. For example:
The malware regularly changes the names that it uses. For example, the following scanner is displayed by a variant calling itself PCAntiMalware:
Virus Remover 2009 / Total Virus Protection
In addition to the scanner, this version of Win32/FakeRemoc also displays a fake version of the Windows Security Center:
Some variants also monitor web activity and block access to certain sites or searches, instead displaying a page recommending they download or register the fake scanner.
In addition to English, it also has versions that are partially displayed in French, German, and Italian. The fake Security Center dialogs and popup balloons are still displayed in English.
Some versions have an icon which appears similar to the Windows Security Center shield.
Spyware Remover 2009 / AntiMalwareGuard
Some of these may also display the fake Windows Security Center described above.
S
ecure Expert Cleaner
Cleaner 2009 Freeware
Analysis by David Wood
